Overview

overview

10

Static

static

3

106162a9e7...53.exe

windows7-x64

10

106162a9e7...53.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    162s
  • max time network
    173s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-12-2023 07:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    106162a9e72052611f27b255db7a5d53.exe

  • Size

    10.7MB

  • MD5

    106162a9e72052611f27b255db7a5d53

  • SHA1

    b2c8f9a1c6cd769bdad4d45b3e340b28e0bb2092

  • SHA256

    0bd0d596230aa3958d9f54bd43d3de94685dd9f7ed3e8bd0b5c1a01d48d7e34e

  • SHA512

    0b5966e406ba6c3d861e5b982a539a51c836a8fb08fd1c9295f17c108d29ae72ad687689eadb9fe3540924afab949598dd6f2108f7498d79edffa2a93a7b9ec9

  • SSDEEP

    49152:3nHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH:3

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.6

lazystax.ru

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\106162a9e72052611f27b255db7a5d53.exe
    "C:\Users\Admin\AppData\Local\Temp\106162a9e72052611f27b255db7a5d53.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2532
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\kucdgdbd\
      2⤵
        PID:1320
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\hbdgzyy.exe" C:\Windows\SysWOW64\kucdgdbd\
        2⤵
          PID:1976
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create kucdgdbd binPath= "C:\Windows\SysWOW64\kucdgdbd\hbdgzyy.exe /d\"C:\Users\Admin\AppData\Local\Temp\106162a9e72052611f27b255db7a5d53.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:3388
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description kucdgdbd "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:3508
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start kucdgdbd
          2⤵
          • Launches sc.exe
          PID:1764
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:4784
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 808
          2⤵
          • Program crash
          PID:3732
      • C:\Windows\SysWOW64\kucdgdbd\hbdgzyy.exe
        C:\Windows\SysWOW64\kucdgdbd\hbdgzyy.exe /d"C:\Users\Admin\AppData\Local\Temp\106162a9e72052611f27b255db7a5d53.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1800
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          • Deletes itself
          PID:4156
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 516
          2⤵
          • Program crash
          PID:1196
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1800 -ip 1800
        1⤵
          PID:5004
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2532 -ip 2532
          1⤵
            PID:1212

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\hbdgzyy.exe
            Filesize

            12.0MB

            MD5

            460e1aea8b21a54e4cc80f3a556feb38

            SHA1

            7f13d6724be2f742088671340671a7e93d22ae4b

            SHA256

            6c95b5fe8b7b53c880bd7cb53ce1cb8330579d31f114066bcadf51d31eb025d3

            SHA512

            33885448113e774704436fe74d114eb9b3faf747dc0314636ad539bec7ba7a1fa9a718655911cb951cdfed080722c013d6e9dfbcb992bfede9c740c09039fc5f

            Download Submit

          • C:\Windows\SysWOW64\kucdgdbd\hbdgzyy.exe
            Filesize

            2.0MB

            MD5

            527cec11aa05d2c63cd1b6f81be78b2a

            SHA1

            a342ab4f07b1b4b99735a1f51958987d2340ca11

            SHA256

            407467cba3b16aa396e2debe32b679de8ef6ca827cf8a33f122e9e45038d5fc9

            SHA512

            562c66aca2c0eb69aaa50fed43e5bfb212c70f06c3e5dcb1ae4d613dafd41512b5671e192cbeda4236fbed534b3bc55ecc5132cd7b6a2196f07e496eef543416

            Download Submit

          • memory/1800-11-0x0000000000400000-0x0000000000C14000-memory.dmp

            Filesize

            8.1MB

            Download

          • memory/1800-10-0x0000000000D70000-0x0000000000D83000-memory.dmp

            Filesize

            76KB

            Download

          • memory/1800-18-0x0000000000400000-0x0000000000C14000-memory.dmp

            Filesize

            8.1MB

            Download

          • memory/1800-9-0x0000000000F00000-0x0000000001000000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/2532-16-0x0000000000D70000-0x0000000000E70000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/2532-7-0x0000000000400000-0x0000000000C14000-memory.dmp

            Filesize

            8.1MB

            Download

          • memory/2532-1-0x0000000000D70000-0x0000000000E70000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/2532-15-0x0000000000400000-0x0000000000C14000-memory.dmp

            Filesize

            8.1MB

            Download

          • memory/2532-4-0x0000000000400000-0x0000000000C14000-memory.dmp

            Filesize

            8.1MB

            Download

          • memory/2532-2-0x0000000002820000-0x0000000002833000-memory.dmp

            Filesize

            76KB

            Download

          • memory/4156-12-0x0000000000A10000-0x0000000000A25000-memory.dmp

            Filesize

            84KB

            Download

          • memory/4156-17-0x0000000000A10000-0x0000000000A25000-memory.dmp

            Filesize

            84KB

            Download

          • memory/4156-20-0x0000000000A10000-0x0000000000A25000-memory.dmp

            Filesize

            84KB

            Download

          • memory/4156-21-0x0000000000A10000-0x0000000000A25000-memory.dmp

            Filesize

            84KB

            Download

          • memory/4156-22-0x0000000000A10000-0x0000000000A25000-memory.dmp

            Filesize

            84KB

            Download